CyberWire Daily – Episode Summary: "Taking Aim at Cybercrime"

Release Date: November 26, 2024
Host: Maria Varmazas
Guest: Clemence Poirier, Senior Cyber Defense Researcher at the Center for Security Studies, ETH Zurich
Produced by: N2K Networks

1. Disruption of Chinese Cybercrime Syndicates in Thailand

Key Highlights: Thai authorities successfully dismantled two sophisticated cybercrime syndicates operated by Chinese nationals, responsible for extensive fraudulent activities.

• Scam Call Operations:
  The first syndicate exploited over 10,000 phone numbers with Bangkok's 02 area code to execute more than 700 million scam calls within three days. These calls promoted fraudulent investment schemes linked to three companies associated with Chinese nationals. As a result, 24 suspects (nine foreigners and fifteen Thais) were issued arrest warrants, with 10 individuals apprehended.

  "The fraudulent messages impersonated the Advanced Info service and urged recipients to redeem expiring points via a provided link," explained Maria Varmazas. (02:32)

• SMS Blaster Incident:
  Concurrently, authorities arrested a 35-year-old Chinese national who operated an SMS blaster from a van in Bangkok's Sukhumvit area. Over three days, the device transmitted nearly one million phishing messages, each capable of sending 100,000 texts per hour within a three-kilometer radius. These messages led recipients to phishing sites designed to harvest credit card information for unauthorized transactions abroad.

2. CyberVolk's Expansion and Ransomware Tactics

Overview: CyberVolk, a hacktivist group with possible Indian origins, has been active since at least March 2024. Unlike typical hacktivist groups that focus on Distributed Denial of Service (DDoS) attacks, CyberVolk employs ransomware and information-stealing malware.

• Global Impact:
  The group has compromised critical infrastructure in Japan, France, and the UK, demanding $1,000 in cryptocurrency with victims instructed to pay within five hours.

  "CyberVolk's adaptability in using various ransomware families underscores the dynamic nature of affiliations among hacktivist groups," noted Maria Varmazas. (02:32)

• Ransomware Evolution:
  Their ransomware is derived from leaked source code of the pro-Russian group Azosec, utilizing families like Hexalocker and Parano. This adaptability highlights the evolving tactics of hacktivist affiliates.

3. Major Cybersecurity Incidents

Microsoft 365 Outage: On November 25, 2024, Microsoft 365 services, including Outlook and Teams, experienced a significant outage affecting global users. The issue was attributed to a recent change impacting Exchange Online and Teams calendar functionalities, with 98% of environments restored by noon Eastern Time. Microsoft acknowledged the event's impact and committed to swift resolution.

Wirral University Teaching Hospital Cyber Attack: On November 26, 2024, the Wirral University Teaching Hospital NHS Trust in Northwest England declared a major incident due to a cyberattack affecting its entire network. This breach resulted in the cancellation of all outpatient appointments and a directive for the public to use emergency services only for genuine emergencies. This marks the third significant cyber incident targeting NHS units this year.

4. Advanced Threats and Malware Campaigns

Salt Typhoon's Ghost Spider Malware: Trend Micro reported on a new strain of malware, Ghost Spider, used by the Chinese state-sponsored threat actor Earth Estries (Salt Typhoon) targeting Southeast Asian telecommunications companies. This sophisticated multimodular backdoor operates alongside the Demodex rootkit for long-term espionage operations, compromising over 20 organizations across multiple countries, including Afghanistan, Brazil, and the United States.

Romcom's Exploitation of Zero Days: Essette highlighted that the Russia-aligned threat actor Romcom exploited critical zero-day vulnerabilities (CVE2024-9680 and CVE202449-00:39) affecting Mozilla products and Windows systems. These exploits allowed for the installation of malware via malicious web pages without user interaction. Both vulnerabilities have since been patched.

5. Corporate Cyber Attacks and Legal Challenges

Blue Yonder Ransomware Attack: On November 21, 2024, Blue Yonder, a supply chain management software provider, faced a ransomware attack disrupting its managed services environment. Affected clients included Starbucks and UK supermarket chains Morrison's and Sainsbury's, impacting employee payments and supply chain operations. Blue Yonder has engaged cybersecurity firms to investigate and restore services, with no specific recovery timeline provided.

Google's UK Class Action Lawsuit: Google is currently facing a £7 billion ($8.8 billion) class action lawsuit in the UK. Led by Consumer Rights Advocate Nikki Stopford, the lawsuit alleges that Google abused its dominance in the search engine market by mandating Android device manufacturers to pre-install Google Search and Chrome, and paying Apple to make Google the default search engine on Safari. This conduct is claimed to have stifled competition, leading to higher advertising costs passed on to consumers. The UK's Competition Appeal Tribunal has allowed the case to proceed, marking a significant legal challenge for Google.

6. Insights from Clemence Poirier on Space Cybersecurity

Discussion Highlights:

Maria Varmazas interviews Clemence Poirier about the evolving landscape of cybersecurity attacks in space.

• Wake-Up Call from Viasat Attack:
  The infamous Viasat cyberattack served as a catalyst, shifting the conversation towards the importance of cybersecurity in the space sector. Prior to this, cybersecurity was often overlooked by engineers, industry professionals, and policymakers within the space industry.

  "Nobody really paid so much attention to that and the threat was a bit overlooked as well," Clemence Poirier remarked. (15:14)

• Proliferation of Cyber Operations:
  Poirier's research involved analyzing hundreds of hacker forums and social media channels, uncovering 124 cyber operations targeting the space sector in the context of the Ukraine conflict. These operations were often part of larger campaigns against specific countries rather than targeted solely at the space sector.

• Challenges for Hacktivist Groups:
  Many hacker groups expressed fascination with space as the "final frontier" but acknowledged the complexities involved in executing attacks on space systems. This indicates a knowledge gap among threat actors regarding the intricacies of space cybersecurity.

  "There's still a knowledge gap for threat actors about how to enter into a space system," Poirier observed. (21:51)

• Evolving Conversations and Perceptions:
  The Viasat attack has fundamentally changed how both the industry and adversaries view space cybersecurity. Commercial players like Starlink and Viasat are now recognized as critical infrastructure requiring robust protection.

7. Notable Cybercrime Case: Nicholas Kloster

Case Overview: Nicholas Kloster from Kansas City faces federal charges for his audacious cybercrimes aimed at pitching his cybersecurity services.

• Gym Breach:
  Kloster breached a gym's security cameras and routers, offered to fix the vulnerabilities he exploited, reduced his gym membership fee to $1, deleted his profile, and manipulated the gym's systems—all before flaunting the compromised cameras on social media.

• Nonprofit Attack:
  He utilized a boot disk to bypass authentication, install a VPN, and change account credentials, forcing the nonprofit to spend $5,000 on remediation and upgrades.

• Use of Stolen Data:
  Kloster reportedly used stolen credit card data from a former employer to purchase hacking tools, solidifying his status as a rogue entrepreneur.

  "Real cybersecurity pros don't exploit systems, they protect them," Maria Varmazas emphasized. (15:14)

Kloster faces up to 15 years in prison for his actions, serving as a stark reminder of the ethical boundaries in cybersecurity.

Conclusion

This episode of CyberWire Daily provides an in-depth analysis of recent cybercrime activities, highlighting the global efforts to combat sophisticated threats emanating from state-sponsored actors and criminal syndicates. The discussion with Clemence Poirier sheds light on the emerging challenges in securing space infrastructure, emphasizing the need for heightened awareness and robust defense mechanisms. Additionally, the case study of Nicholas Kloster underscores the importance of ethical practices in the cybersecurity profession.

For more detailed information on today's stories, listeners are encouraged to visit the CyberWire daily briefing at thecyberwire.com.

Notable Quotes:

• "CyberVolk's adaptability in using various ransomware families underscores the dynamic nature of affiliations among hacktivist groups." – Maria Varmazas (02:32)

• "Nobody really paid so much attention to that and the threat was a bit overlooked as well." – Clemence Poirier (15:14)

• "There's still a knowledge gap for threat actors about how to enter into a space system." – Clemence Poirier (21:51)

• "Real cybersecurity pros don't exploit systems, they protect them." – Maria Varmazas (15:14)

Stay Informed: Subscribe to CyberWire Daily for comprehensive cybersecurity news and analysis from industry leaders. Share your feedback to help us deliver the insights you need to stay ahead in the rapidly evolving world of cybersecurity.